Now using project "my-project" on server "https://openshift.example.com:6443".

Now using project "my-project" on server "https://openshift.example.com:6443".

--> Found image 40de956 (9 days old) in imagestream "openshift/php" under tag "7.2" for "php"...    Run 'oc status' to view your app.

--> Found image 40de956 (9 days old) in imagestream "openshift/php" under tag "7.2" for "php"...    Run 'oc status' to view your app.

NAME                  READY   STATUS      RESTARTS   AGE     IP            NODE                           NOMINATED NODEcakephp-ex-1-build    0/1     Completed   0          5m45s   10.131.0.10   ip-10-0-141-74.ec2.internal    <none>cakephp-ex-1-deploy   0/1     Completed   0          3m44s   10.129.2.9    ip-10-0-147-65.ec2.internal    <none>cakephp-ex-1-ktz97    1/1     Running     0          3m33s   10.128.2.11   ip-10-0-168-105.ec2.internal   <none>

NAME                  READY   STATUS      RESTARTS   AGE     IP            NODE                           NOMINATED NODEcakephp-ex-1-build    0/1     Completed   0          5m45s   10.131.0.10   ip-10-0-141-74.ec2.internal    <none>cakephp-ex-1-deploy   0/1     Completed   0          3m44s   10.129.2.9    ip-10-0-147-65.ec2.internal    <none>cakephp-ex-1-ktz97    1/1     Running     0          3m33s   10.128.2.11   ip-10-0-168-105.ec2.internal   <none>

--> Scaling cakephp-ex-1 to 1--> Success

--> Scaling cakephp-ex-1 to 1--> Success

Using project "my-project" on server "https://openshift.example.com:6443".

Using project "my-project" on server "https://openshift.example.com:6443".

In project my-project on server https://openshift.example.com:6443svc/cakephp-ex - 172.30.236.80 ports 8080, 8443  dc/cakephp-ex deploys istag/cakephp-ex:latest <-    bc/cakephp-ex source builds https://github.com/sclorg/cakephp-ex on openshift/php:7.2    deployment #1 deployed 2 minutes ago - 1 pod3 infos identified, use 'oc status --suggest' to see details.

In project my-project on server https://openshift.example.com:6443svc/cakephp-ex - 172.30.236.80 ports 8080, 8443  dc/cakephp-ex deploys istag/cakephp-ex:latest <-    bc/cakephp-ex source builds https://github.com/sclorg/cakephp-ex on openshift/php:7.2    deployment #1 deployed 2 minutes ago - 1 pod3 infos identified, use 'oc status --suggest' to see details.

NAME                                  SHORTNAMES       APIGROUP                              NAMESPACED   KINDbindings                                                                                     true         Bindingcomponentstatuses                     cs                                                     false        ComponentStatusconfigmaps                            cm                                                     true         ConfigMap...

NAME                                  SHORTNAMES       APIGROUP                              NAMESPACED   KINDbindings                                                                                     true         Bindingcomponentstatuses                     cs                                                     false        ComponentStatusconfigmaps                            cm                                                     true         ConfigMap...

Update pod 'foo' with the annotation 'description' and the value 'my frontend'

# Update pod 'foo' with the annotation 'description' and the value 'my frontend'# If the same annotation is set multiple times, only the last value will be applied  oc annotate pods foodescription='my frontend'# Update a pod identified by type and name in "pod.json"  oc annotate-f pod.jsondescription='my frontend'# Update pod 'foo' with the annotation 'description' and the value 'my frontend running nginx', overwriting any existing value  oc annotate--overwrite pods foodescription='my frontend running nginx'# Update all pods in the namespace  oc annotate pods--alldescription='my frontend running nginx'# Update pod 'foo' only if the resource is unchanged from version 1  oc annotate pods foodescription='my frontend running nginx' --resource-version=1# Update pod 'foo' by removing an annotation named 'description' if it exists# Does not require the --overwrite flag  oc annotate pods foo description-

Print the supported API resources

# Print the supported API resources  oc api-resources# Print the supported API resources with more information  oc api-resources-o wide# Print the supported API resources sorted by a column  oc api-resources --sort-by=name# Print the supported namespaced resources  oc api-resources--namespaced=true# Print the supported non-namespaced resources  oc api-resources--namespaced=false# Print the supported API resources with a specific APIGroup  oc api-resources --api-group=rbac.authorization.k8s.io

Print the supported API versions

# Print the supported API versions  oc api-versions

Apply the configuration in pod.json to a pod

# Apply the configuration in pod.json to a pod  oc apply-f ./pod.json# Apply resources from a directory containing kustomization.yaml - e.g. dir/kustomization.yaml  oc apply-k dir/# Apply the JSON passed into stdin to a podcat pod.json| oc apply-f -# Apply the configuration from all files that end with '.json'  oc apply-f'*.json'# Note: --prune is still in Alpha# Apply the configuration in manifest.yaml that matches label app=nginx and delete all other resources that are not in the file and match label app=nginx  oc apply--prune-f manifest.yaml-lapp=nginx# Apply the configuration in manifest.yaml and delete all the other config maps that are not in the file  oc apply--prune-f manifest.yaml--all --prune-allowlist=core/v1/ConfigMap

Edit the last-applied-configuration annotations by type/name in YAML

# Edit the last-applied-configuration annotations by type/name in YAML  oc apply edit-last-applied deployment/nginx# Edit the last-applied-configuration annotations by file in JSON  oc apply edit-last-applied-f deploy.yaml-o json

Set the last-applied-configuration of a resource to match the contents of a file

# Set the last-applied-configuration of a resource to match the contents of a file  oc apply set-last-applied-f deploy.yaml# Execute set-last-applied against each configuration file in a directory  oc apply set-last-applied-f path/# Set the last-applied-configuration of a resource to match the contents of a file; will create the annotation if it does not already exist  oc apply set-last-applied-f deploy.yaml --create-annotation=true

View the last-applied-configuration annotations by type/name in YAML

# View the last-applied-configuration annotations by type/name in YAML  oc apply view-last-applied deployment/nginx# View the last-applied-configuration annotations by file in JSON  oc apply view-last-applied-f deploy.yaml-o json

Get output from running pod mypod; use the 'oc.kubernetes.io/default-container' annotation

# Get output from running pod mypod; use the 'oc.kubernetes.io/default-container' annotation# for selecting the container to be attached or the first container in the pod will be chosen  oc attach mypod# Get output from ruby-container from pod mypod  oc attach mypod-c ruby-container# Switch to raw terminal mode; sends stdin to 'bash' in ruby-container from pod mypod# and sends stdout/stderr from 'bash' back to the client  oc attach mypod-c ruby-container-i-t# Get output from the first pod of a replica set named nginx  oc attach rs/nginx

Check to see if I can create pods in any namespace

# Check to see if I can create pods in any namespace  oc auth can-i create pods --all-namespaces# Check to see if I can list deployments in my current namespace  oc auth can-i list deployments.apps# Check to see if service account "foo" of namespace "dev" can list pods in the namespace "prod"# You must be allowed to use impersonation for the global option "--as"  oc auth can-i list pods--as=system:serviceaccount:dev:foo-n prod# Check to see if I can do everything in my current namespace ("*" means all)  oc auth can-i'*''*'# Check to see if I can get the job named "bar" in namespace "foo"  oc auth can-i list jobs.batch/bar-n foo# Check to see if I can read pod logs  oc auth can-i get pods--subresource=log# Check to see if I can access the URL /logs/  oc auth can-i get /logs/# Check to see if I can approve certificates.k8s.io  oc auth can-i approve certificates.k8s.io# List all allowed actions in namespace "foo"  oc auth can-i--list--namespace=foo

Reconcile RBAC resources from a file

# Reconcile RBAC resources from a file  oc auth reconcile-f my-rbac-rules.yaml

Get your subject attributes

# Get your subject attributes  oc authwhoami# Get your subject attributes in JSON format  oc authwhoami-o json

Auto scale a deployment "foo", with the number of pods between 2 and 10, no target CPU utilization specified so a default autoscaling policy will be used

# Auto scale a deployment "foo", with the number of pods between 2 and 10, no target CPU utilization specified so a default autoscaling policy will be used  oc autoscale deployment foo--min=2--max=10# Auto scale a replication controller "foo", with the number of pods between 1 and 5, target CPU utilization at 80%  oc autoscale rc foo--max=5 --cpu-percent=80

Cancel the build with the given name

# Cancel the build with the given name  oc cancel-build ruby-build-2# Cancel the named build and print the build logs  oc cancel-build ruby-build-2 --dump-logs# Cancel the named build and create a new one with the same parameters  oc cancel-build ruby-build-2--restart# Cancel multiple builds  oc cancel-build ruby-build-1 ruby-build-2 ruby-build-3# Cancel all builds created from the 'ruby-build' build config that are in the 'new' state  oc cancel-build bc/ruby-build--state=new

Print the address of the control plane and cluster services

# Print the address of the control plane and cluster services  oc cluster-info

Dump current cluster state to stdout

# Dump current cluster state to stdout  oc cluster-info dump# Dump current cluster state to /path/to/cluster-state  oc cluster-info dump --output-directory=/path/to/cluster-state# Dump all namespaces to stdout  oc cluster-info dump --all-namespaces# Dump a set of namespaces to /path/to/cluster-state  oc cluster-info dump--namespaces default,kube-system --output-directory=/path/to/cluster-state

Installing bash completion on macOS using homebrew

# Installing bash completion on macOS using homebrew## If running Bash 3.2 included with macOS  brewinstall bash-completion## or, if running Bash 4.1+  brewinstall bash-completion@2## If oc is installed via homebrew, this should start working immediately## If you've installed via other means, you may need add the completion to your completion directory  oc completionbash>$(brew--prefix)/etc/bash_completion.d/oc# Installing bash completion on Linux## If bash-completion is not installed on Linux, install the 'bash-completion' package## via your distribution's package manager.## Load the oc completion code for bash into the current shellsource<(oc completionbash)## Write bash completion code to a file and source it from .bash_profile  oc completionbash> ~/.kube/completion.bash.incprintf"  # oc shell completion  source '$HOME/.kube/completion.bash.inc'  ">>$HOME/.bash_profilesource$HOME/.bash_profile# Load the oc completion code for zsh[1] into the current shellsource<(oc completionzsh)# Set the oc completion code for zsh[1] to autoload on startup  oc completionzsh>"${fpath[1]}/_oc"# Load the oc completion code for fish[2] into the current shell  oc completion fish|source# To load completions for each session, execute once:  oc completion fish> ~/.config/fish/completions/oc.fish# Load the oc completion code for powershell into the current shell  oc completion powershell| Out-String| Invoke-Expression# Set oc completion code for powershell to run on startup## Save completion code to a script and execute in the profile  oc completion powershell>$HOME\.kube\completion.ps1  Add-Content$PROFILE"$HOME\.kube\completion.ps1"## Execute completion code in the profile  Add-Content$PROFILE"if (Get-Command oc -ErrorAction SilentlyContinue) {  oc completion powershell | Out-String | Invoke-Expression  }"## Add completion code directly to the $PROFILE script  oc completion powershell>>$PROFILE

Display the current-context

# Display the current-context  oc config current-context

Delete the minikube cluster

# Delete the minikube cluster  oc config delete-cluster minikube

Delete the context for the minikube cluster

# Delete the context for the minikube cluster  oc config delete-context minikube

Delete the minikube user

# Delete the minikube user  oc config delete-user minikube

List the clusters that oc knows about

# List the clusters that oc knows about  oc config get-clusters

List all the contexts in your kubeconfig file

# List all the contexts in your kubeconfig file  oc config get-contexts# Describe one context in your kubeconfig file  oc config get-contexts my-context

List the users that oc knows about

# List the users that oc knows about  oc config get-users

Generate a new admin kubeconfig

# Generate a new admin kubeconfig  oc config new-admin-kubeconfig

Generate a new kubelet bootstrap kubeconfig

# Generate a new kubelet bootstrap kubeconfig  oc config new-kubelet-bootstrap-kubeconfig

Refresh the CA bundle for the current context's cluster

# Refresh the CA bundle for the current context's cluster  oc config refresh-ca-bundle# Refresh the CA bundle for the cluster named e2e in your kubeconfig  oc config refresh-ca-bundle e2e# Print the CA bundle from the current OpenShift cluster's API server  oc config refresh-ca-bundle --dry-run

Rename the context 'old-name' to 'new-name' in your kubeconfig file

# Rename the context 'old-name' to 'new-name' in your kubeconfig file  oc config rename-context old-name new-name

Set the server field on the my-cluster cluster to https://1.2.3.4

# Set the server field on the my-cluster cluster to https://1.2.3.4  oc configset clusters.my-cluster.server https://1.2.3.4# Set the certificate-authority-data field on the my-cluster cluster  oc configset clusters.my-cluster.certificate-authority-data$(echo"cert_data_here"| base64-i -)# Set the cluster field in the my-context context to my-cluster  oc configset contexts.my-context.cluster my-cluster# Set the client-key-data field in the cluster-admin user using --set-raw-bytes option  oc configset users.cluster-admin.client-key-data cert_data_here --set-raw-bytes=true

Set only the server field on the e2e cluster entry without touching other values

# Set only the server field on the e2e cluster entry without touching other values  oc config set-cluster e2e--server=https://1.2.3.4# Embed certificate authority data for the e2e cluster entry  oc config set-cluster e2e --embed-certs --certificate-authority=~/.kube/e2e/kubernetes.ca.crt# Disable cert checking for the e2e cluster entry  oc config set-cluster e2e --insecure-skip-tls-verify=true# Set the custom TLS server name to use for validation for the e2e cluster entry  oc config set-cluster e2e --tls-server-name=my-cluster-name# Set the proxy URL for the e2e cluster entry  oc config set-cluster e2e --proxy-url=https://1.2.3.4

Set the user field on the gce context entry without touching other values

# Set the user field on the gce context entry without touching other values  oc config set-context gce--user=cluster-admin

Set only the "client-key" field on the "cluster-admin"

# Set only the "client-key" field on the "cluster-admin"# entry, without touching other values  oc config set-credentials cluster-admin --client-key=~/.kube/admin.key# Set basic auth for the "cluster-admin" entry  oc config set-credentials cluster-admin--username=admin--password=uXFGweU9l35qcif# Embed client certificate data in the "cluster-admin" entry  oc config set-credentials cluster-admin --client-certificate=~/.kube/admin.crt --embed-certs=true# Enable the Google Compute Platform auth provider for the "cluster-admin" entry  oc config set-credentials cluster-admin --auth-provider=gcp# Enable the OpenID Connect auth provider for the "cluster-admin" entry with additional arguments  oc config set-credentials cluster-admin --auth-provider=oidc --auth-provider-arg=client-id=foo --auth-provider-arg=client-secret=bar# Remove the "client-secret" config value for the OpenID Connect auth provider for the "cluster-admin" entry  oc config set-credentials cluster-admin --auth-provider=oidc --auth-provider-arg=client-secret-# Enable new exec auth plugin for the "cluster-admin" entry  oc config set-credentials cluster-admin --exec-command=/path/to/the/executable --exec-api-version=client.authentication.k8s.io/v1beta1# Enable new exec auth plugin for the "cluster-admin" entry with interactive mode  oc config set-credentials cluster-admin --exec-command=/path/to/the/executable --exec-api-version=client.authentication.k8s.io/v1beta1 --exec-interactive-mode=Never# Define new exec auth plugin arguments for the "cluster-admin" entry  oc config set-credentials cluster-admin --exec-arg=arg1 --exec-arg=arg2# Create or update exec auth plugin environment variables for the "cluster-admin" entry  oc config set-credentials cluster-admin --exec-env=key1=val1 --exec-env=key2=val2# Remove exec auth plugin environment variables for the "cluster-admin" entry  oc config set-credentials cluster-admin --exec-env=var-to-remove-

Unset the current-context

# Unset the current-context  oc configunset current-context# Unset namespace in foo context  oc configunset contexts.foo.namespace

Use the context for the minikube cluster

# Use the context for the minikube cluster  oc config use-context minikube

Show merged kubeconfig settings

# Show merged kubeconfig settings  oc config view# Show merged kubeconfig settings, raw certificate data, and exposed secrets  oc config view--raw# Get the password for the e2e user  oc config view-ojsonpath='{.users[?(@.name == "e2e")].user.password}'

!!!Important Note!!!

# !!!Important Note!!!# Requires that the 'tar' binary is present in your container# image.  If 'tar' is not present, 'oc cp' will fail.## For advanced use cases, such as symlinks, wildcard expansion or# file mode preservation, consider using 'oc exec'.# Copy /tmp/foo local file to /tmp/bar in a remote pod in namespace <some-namespace>tar cf - /tmp/foo| ocexec-i-n<some-namespace><some-pod> --tar xf --C /tmp/bar# Copy /tmp/foo from a remote pod to /tmp/bar locally  ocexec-n<some-namespace><some-pod> --tar cf - /tmp/foo|tar xf --C /tmp/bar# Copy /tmp/foo_dir local directory to /tmp/bar_dir in a remote pod in the default namespace  occp /tmp/foo_dir<some-pod>:/tmp/bar_dir# Copy /tmp/foo local file to /tmp/bar in a remote pod in a specific container  occp /tmp/foo<some-pod>:/tmp/bar-c<specific-container># Copy /tmp/foo local file to /tmp/bar in a remote pod in namespace <some-namespace>  occp /tmp/foo<some-namespace>/<some-pod>:/tmp/bar# Copy /tmp/foo from a remote pod to /tmp/bar locally  occp<some-namespace>/<some-pod>:/tmp/foo /tmp/bar

Create a pod using the data in pod.json

# Create a pod using the data in pod.json  oc create-f ./pod.json# Create a pod based on the JSON passed into stdincat pod.json| oc create-f -# Edit the data in registry.yaml in JSON then create the resource using the edited data  oc create-f registry.yaml--edit-o json

Create a new build

# Create a new build  oc create build myapp

Create a cluster resource quota limited to 10 pods

# Create a cluster resource quota limited to 10 pods  oc create clusterresourcequota limit-bob --project-annotation-selector=openshift.io/requester=user-bob--hard=pods=10

Create a cluster role named "pod-reader" that allows user to perform "get", "watch" and "list" on pods

# Create a cluster role named "pod-reader" that allows user to perform "get", "watch" and "list" on pods  oc create clusterrole pod-reader--verb=get,list,watch--resource=pods# Create a cluster role named "pod-reader" with ResourceName specified  oc create clusterrole pod-reader--verb=get--resource=pods --resource-name=readablepod --resource-name=anotherpod# Create a cluster role named "foo" with API Group specified  oc create clusterrole foo--verb=get,list,watch--resource=rs.apps# Create a cluster role named "foo" with SubResource specified  oc create clusterrole foo--verb=get,list,watch--resource=pods,pods/status# Create a cluster role name "foo" with NonResourceURL specified  oc create clusterrole"foo"--verb=get --non-resource-url=/logs/*# Create a cluster role name "monitoring" with AggregationRule specified  oc create clusterrole monitoring --aggregation-rule="rbac.example.com/aggregate-to-monitoring=true"

Create a cluster role binding for user1, user2, and group1 using the cluster-admin cluster role

# Create a cluster role binding for user1, user2, and group1 using the cluster-admin cluster role  oc create clusterrolebinding cluster-admin--clusterrole=cluster-admin--user=user1--user=user2--group=group1

Create a new config map named my-config based on folder bar

# Create a new config map named my-config based on folder bar  oc create configmap my-config --from-file=path/to/bar# Create a new config map named my-config with specified keys instead of file basenames on disk  oc create configmap my-config --from-file=key1=/path/to/bar/file1.txt --from-file=key2=/path/to/bar/file2.txt# Create a new config map named my-config with key1=config1 and key2=config2  oc create configmap my-config --from-literal=key1=config1 --from-literal=key2=config2# Create a new config map named my-config from the key=value pairs in the file  oc create configmap my-config --from-file=path/to/bar# Create a new config map named my-config from an env file  oc create configmap my-config --from-env-file=path/to/foo.env --from-env-file=path/to/bar.env

Create a cron job

# Create a cron job  oc create cronjob my-job--image=busybox--schedule="*/1 * * * *"# Create a cron job with a command  oc create cronjob my-job--image=busybox--schedule="*/1 * * * *" --date

Create a deployment named my-dep that runs the busybox image

# Create a deployment named my-dep that runs the busybox image  oc create deployment my-dep--image=busybox# Create a deployment with a command  oc create deployment my-dep--image=busybox --date# Create a deployment named my-dep that runs the nginx image with 3 replicas  oc create deployment my-dep--image=nginx--replicas=3# Create a deployment named my-dep that runs the busybox image and expose port 5701  oc create deployment my-dep--image=busybox--port=5701# Create a deployment named my-dep that runs multiple containers  oc create deployment my-dep--image=busybox:latest--image=ubuntu:latest--image=nginx

Create an nginx deployment config named my-nginx

# Create an nginx deployment config named my-nginx  oc create deploymentconfig my-nginx--image=nginx

Create an identity with identity provider "acme_ldap" and the identity provider username "adamjones"

# Create an identity with identity provider "acme_ldap" and the identity provider username "adamjones"  oc create identity acme_ldap:adamjones

Create a new image stream

# Create a new image stream  oc create imagestream mysql

Create a new image stream tag based on an image in a remote registry

# Create a new image stream tag based on an image in a remote registry  oc create imagestreamtag mysql:latest --from-image=myregistry.local/mysql/mysql:5.0

Create a single ingress called 'simple' that directs requests to foo.com/bar to svc

# Create a single ingress called 'simple' that directs requests to foo.com/bar to svc# svc1:8080 with a TLS secret "my-cert"  oc create ingress simple--rule="foo.com/bar=svc1:8080,tls=my-cert"# Create a catch all ingress of "/path" pointing to service svc:port and Ingress Class as "otheringress"  oc create ingress catch-all--class=otheringress--rule="/path=svc:port"# Create an ingress with two annotations: ingress.annotation1 and ingress.annotations2  oc create ingress annotated--class=default--rule="foo.com/bar=svc:port"\--annotationingress.annotation1=foo\--annotationingress.annotation2=bla# Create an ingress with the same host and multiple paths  oc create ingress multipath--class=default\--rule="foo.com/=svc:port"\--rule="foo.com/admin/=svcadmin:portadmin"# Create an ingress with multiple hosts and the pathType as Prefix  oc create ingress ingress1--class=default\--rule="foo.com/path*=svc:8080"\--rule="bar.com/admin*=svc2:http"# Create an ingress with TLS enabled using the default ingress certificate and different path types  oc create ingress ingtls--class=default\--rule="foo.com/=svc:https,tls"\--rule="foo.com/path/subpath*=othersvc:8080"# Create an ingress with TLS enabled using a specific secret and pathType as Prefix  oc create ingress ingsecret--class=default\--rule="foo.com/*=svc:8080,tls=secret1"# Create an ingress with a default backend  oc create ingress ingdefault--class=default\  --default-backend=defaultsvc:http\--rule="foo.com/*=svc:8080,tls=secret1"

Create a job

# Create a job  oc create job my-job--image=busybox# Create a job with a command  oc create job my-job--image=busybox --date# Create a job from a cron job named "a-cronjob"  oc create job test-job--from=cronjob/a-cronjob

Create a new namespace named my-namespace

# Create a new namespace named my-namespace  oc create namespace my-namespace

Create a pod disruption budget named my-pdb that will select all pods with the app=rails label

# Create a pod disruption budget named my-pdb that will select all pods with the app=rails label# and require at least one of them being available at any point in time  oc create poddisruptionbudget my-pdb--selector=app=rails --min-available=1# Create a pod disruption budget named my-pdb that will select all pods with the app=nginx label# and require at least half of the pods selected to be available at any point in time  oc create pdb my-pdb--selector=app=nginx --min-available=50%

Create a priority class named high-priority

# Create a priority class named high-priority  oc create priorityclass high-priority--value=1000--description="high priority"# Create a priority class named default-priority that is considered as the global default priority  oc create priorityclass default-priority--value=1000 --global-default=true--description="default priority"# Create a priority class named high-priority that cannot preempt pods with lower priority  oc create priorityclass high-priority--value=1000--description="high priority" --preemption-policy="Never"

Create a new resource quota named my-quota

# Create a new resource quota named my-quota  oc createquota my-quota--hard=cpu=1,memory=1G,pods=2,services=3,replicationcontrollers=2,resourcequotas=1,secrets=5,persistentvolumeclaims=10# Create a new resource quota named best-effort  oc createquota best-effort--hard=pods=100--scopes=BestEffort

Create a role named "pod-reader" that allows user to perform "get", "watch" and "list" on pods

# Create a role named "pod-reader" that allows user to perform "get", "watch" and "list" on pods  oc create role pod-reader--verb=get--verb=list--verb=watch--resource=pods# Create a role named "pod-reader" with ResourceName specified  oc create role pod-reader--verb=get--resource=pods --resource-name=readablepod --resource-name=anotherpod# Create a role named "foo" with API Group specified  oc create role foo--verb=get,list,watch--resource=rs.apps# Create a role named "foo" with SubResource specified  oc create role foo--verb=get,list,watch--resource=pods,pods/status

Create a role binding for user1, user2, and group1 using the admin cluster role

# Create a role binding for user1, user2, and group1 using the admin cluster role  oc create rolebinding admin--clusterrole=admin--user=user1--user=user2--group=group1# Create a role binding for service account monitoring:sa-dev using the admin role  oc create rolebinding admin-binding--role=admin--serviceaccount=monitoring:sa-dev

Create an edge route named "my-route" that exposes the frontend service

# Create an edge route named "my-route" that exposes the frontend service  oc create route edge my-route--service=frontend# Create an edge route that exposes the frontend service and specify a path# If the route name is omitted, the service name will be used  oc create route edge--service=frontend--path /assets

Create a passthrough route named "my-route" that exposes the frontend service

# Create a passthrough route named "my-route" that exposes the frontend service  oc create route passthrough my-route--service=frontend# Create a passthrough route that exposes the frontend service and specify# a host name. If the route name is omitted, the service name will be used  oc create route passthrough--service=frontend--hostname=www.example.com

Create a route named "my-route" that exposes the frontend service

# Create a route named "my-route" that exposes the frontend service  oc create route reencrypt my-route--service=frontend --dest-ca-cert cert.cert# Create a reencrypt route that exposes the frontend service, letting the# route name default to the service name and the destination CA certificate# default to the service CA  oc create route reencrypt--service=frontend

If you do not already have a .dockercfg file, create a dockercfg secret directly

# If you do not already have a .dockercfg file, create a dockercfg secret directly  oc create secret docker-registry my-secret --docker-server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL# Create a new secret named my-secret from ~/.docker/config.json  oc create secret docker-registry my-secret --from-file=path/to/.docker/config.json

Create a new secret named my-secret with keys for each file in folder bar

# Create a new secret named my-secret with keys for each file in folder bar  oc create secret generic my-secret --from-file=path/to/bar# Create a new secret named my-secret with specified keys instead of names on disk  oc create secret generic my-secret --from-file=ssh-privatekey=path/to/id_rsa --from-file=ssh-publickey=path/to/id_rsa.pub# Create a new secret named my-secret with key1=supersecret and key2=topsecret  oc create secret generic my-secret --from-literal=key1=supersecret --from-literal=key2=topsecret# Create a new secret named my-secret using a combination of a file and a literal  oc create secret generic my-secret --from-file=ssh-privatekey=path/to/id_rsa --from-literal=passphrase=topsecret# Create a new secret named my-secret from env files  oc create secret generic my-secret --from-env-file=path/to/foo.env --from-env-file=path/to/bar.env

Create a new TLS secret named tls-secret with the given key pair

# Create a new TLS secret named tls-secret with the given key pair  oc create secret tls tls-secret--cert=path/to/tls.crt--key=path/to/tls.key

Create a new ClusterIP service named my-cs

# Create a new ClusterIP service named my-cs  oc createservice clusterip my-cs--tcp=5678:8080# Create a new ClusterIP service named my-cs (in headless mode)  oc createservice clusterip my-cs--clusterip="None"

Create a new ExternalName service named my-ns

# Create a new ExternalName service named my-ns  oc createservice externalname my-ns --external-name bar.com

Create a new LoadBalancer service named my-lbs

# Create a new LoadBalancer service named my-lbs  oc createservice loadbalancer my-lbs--tcp=5678:8080

Create a new NodePort service named my-ns

# Create a new NodePort service named my-ns  oc createservice nodeport my-ns--tcp=5678:8080

Create a new service account named my-service-account

# Create a new service account named my-service-account  oc create serviceaccount my-service-account

Request a token to authenticate to the kube-apiserver as the service account "myapp" in the current namespace

# Request a token to authenticate to the kube-apiserver as the service account "myapp" in the current namespace  oc create token myapp# Request a token for a service account in a custom namespace  oc create token myapp--namespace myns# Request a token with a custom expiration  oc create token myapp--duration 10m# Request a token with a custom audience  oc create token myapp--audience https://example.com# Request a token bound to an instance of a Secret object  oc create token myapp --bound-object-kind Secret --bound-object-name mysecret# Request a token bound to an instance of a Secret object with a specific UID  oc create token myapp --bound-object-kind Secret --bound-object-name mysecret --bound-object-uid 0d4691ed-659b-4935-a832-355f77ee47cc

Create a user with the username "ajones" and the display name "Adam Jones"

# Create a user with the username "ajones" and the display name "Adam Jones"  oc create user ajones --full-name="Adam Jones"

Map the identity "acme_ldap:adamjones" to the user "ajones"

# Map the identity "acme_ldap:adamjones" to the user "ajones"  oc create useridentitymapping acme_ldap:adamjones ajones

Start a shell session into a pod using the OpenShift tools image

# Start a shell session into a pod using the OpenShift tools image  oc debug# Debug a currently running deployment by creating a new pod  oc debug deploy/test# Debug a node as an administrator  oc debug node/master-1# Debug a Windows node# Note: the chosen image must match the Windows Server version (2019, 2022) of the node  oc debug node/win-worker-1--image=mcr.microsoft.com/powershell:lts-nanoserver-ltsc2022# Launch a shell in a pod using the provided image stream tag  oc debug istag/mysql:latest-n openshift# Test running a job as a non-root user  oc debug job/test --as-user=1000000# Debug a specific failing container by running the env command in the 'second' container  oc debug daemonset/test-c second -- /bin/env# See the pod that would be created to debug  oc debug mypod-9xbc-o yaml# Debug a resource but launch the debug pod in another namespace# Note: Not all resources can be debugged using --to-namespace without modification. For example,# volumes and service accounts are namespace-dependent. Add '-o yaml' to output the debug pod definition# to disk.  If necessary, edit the definition then run 'oc debug -f -' or run without --to-namespace  oc debug mypod-9xbc --to-namespace testns

Delete a pod using the type and name specified in pod.json

# Delete a pod using the type and name specified in pod.json  oc delete-f ./pod.json# Delete resources from a directory containing kustomization.yaml - e.g. dir/kustomization.yaml  oc delete-kdir# Delete resources from all files that end with '.json'  oc delete-f'*.json'# Delete a pod based on the type and name in the JSON passed into stdincat pod.json| oc delete-f -# Delete pods and services with same names "baz" and "foo"  oc delete pod,service baz foo# Delete pods and services with label name=myLabel  oc delete pods,services-lname=myLabel# Delete a pod with minimal delay  oc delete pod foo--now# Force delete a pod on a dead node  oc delete pod foo--force# Delete all pods  oc delete pods--all# Delete all pods only if the user confirms the deletion  oc delete pods--all--interactive

Describe a node

# Describe a node  oc describe nodes kubernetes-node-emt8.c.myproject.internal# Describe a pod  oc describe pods/nginx# Describe a pod identified by type and name in "pod.json"  oc describe-f pod.json# Describe all pods  oc describe pods# Describe pods by label name=myLabel  oc describe pods-lname=myLabel# Describe all pods managed by the 'frontend' replication controller# (rc-created pods get the name of the rc as a prefix in the pod name)  oc describe pods frontend

Diff resources included in pod.json

# Diff resources included in pod.json  ocdiff-f pod.json# Diff file read from stdincat service.yaml| ocdiff-f -

Edit the service named 'registry'

# Edit the service named 'registry'  oc edit svc/registry# Use an alternative editorKUBE_EDITOR="nano" oc edit svc/registry# Edit the job 'myjob' in JSON using the v1 API format  oc edit job.v1.batch/myjob-o json# Edit the deployment 'mydeployment' in YAML and save the modified config in its annotation  oc edit deployment/mydeployment-o yaml --save-config# Edit the 'status' subresource for the 'mydeployment' deployment  oc edit deployment mydeployment--subresource='status'

List recent events in the default namespace

# List recent events in the default namespace  oc events# List recent events in all namespaces  oc events --all-namespaces# List recent events for the specified pod, then wait for more events and list them as they arrive  oc events--for pod/web-pod-13je7--watch# List recent events in YAML format  oc events-oyaml# List recent only events of type 'Warning' or 'Normal'  oc events--types=Warning,Normal

Get output from running the 'date' command from pod mypod, using the first container by default

# Get output from running the 'date' command from pod mypod, using the first container by default  ocexec mypod --date# Get output from running the 'date' command in ruby-container from pod mypod  ocexec mypod-c ruby-container --date# Switch to raw terminal mode; sends stdin to 'bash' in ruby-container from pod mypod# and sends stdout/stderr from 'bash' back to the client  ocexec mypod-c ruby-container-i-t --bash-il# List contents of /usr from the first container of pod mypod and sort by modification time# If the command you want to execute in the pod has any flags in common (e.g. -i),# you must use two dashes (--) to separate your command's flags/arguments# Also note, do not surround your command and its flags/arguments with quotes# unless that is how you would execute it normally (i.e., do ls -t /usr, not "ls -t /usr")  ocexec mypod-i-t --ls-t /usr# Get output from running 'date' command from the first pod of the deployment mydeployment, using the first container by default  ocexec deploy/mydeployment --date# Get output from running 'date' command from the first pod of the service myservice, using the first container by default  ocexec svc/myservice --date

Get the documentation of the resource and its fields

# Get the documentation of the resource and its fields  oc explain pods# Get all the fields in the resource  oc explain pods--recursive# Get the explanation for deployment in supported api versions  oc explain deployments --api-version=apps/v1# Get the documentation of a specific field of a resource  oc explain pods.spec.containers# Get the documentation of resources in different format  oc explain deployment--output=plaintext-openapiv2

Create a route based on service nginx. The new route will reuse nginx's labels

# Create a route based on service nginx. The new route will reuse nginx's labels  oc exposeservice nginx# Create a route and specify your own label and route name  oc exposeservice nginx-lname=myroute--name=fromdowntown# Create a route and specify a host name  oc exposeservice nginx--hostname=www.example.com# Create a route with a wildcard  oc exposeservice nginx--hostname=x.example.com --wildcard-policy=Subdomain# This would be equivalent to *.example.com. NOTE: only hosts are matched by the wildcard; subdomains would not be included# Expose a deployment configuration as a service and use the specified port  oc exposedc ruby-hello-world--port=8080# Expose a service as a route in the specified path  oc exposeservice nginx--path=/nginx

Extract the secret "test" to the current directory

# Extract the secret "test" to the current directory  oc extract secret/test# Extract the config map "nginx" to the /tmp directory  oc extract configmap/nginx--to=/tmp# Extract the config map "nginx" to STDOUT  oc extract configmap/nginx--to=-# Extract only the key "nginx.conf" from config map "nginx" to the /tmp directory  oc extract configmap/nginx--to=/tmp--keys=nginx.conf

List all pods in ps output format

# List all pods in ps output format  oc get pods# List all pods in ps output format with more information (such as node name)  oc get pods-o wide# List a single replication controller with specified NAME in ps output format  oc get replicationcontroller web# List deployments in JSON output format, in the "v1" version of the "apps" API group  oc get deployments.v1.apps-o json# List a single pod in JSON output format  oc get-o json pod web-pod-13je7# List a pod identified by type and name specified in "pod.yaml" in JSON output format  oc get-f pod.yaml-o json# List resources from a directory with kustomization.yaml - e.g. dir/kustomization.yaml  oc get-k dir/# Return only the phase value of the specified pod  oc get-o template pod/web-pod-13je7--template={{.status.phase}}# List resource information in custom columns  oc get pod test-pod-o custom-columns=CONTAINER:.spec.containers[0].name,IMAGE:.spec.containers[0].image# List all replication controllers and services together in ps output format  oc get rc,services# List one or more resources by their type and names  oc get rc/web service/frontend pods/web-pod-13je7# List the 'status' subresource for a single pod  oc get pod web-pod-13je7--subresource status# List all deployments in namespace 'backend'  oc get deployments.apps--namespace backend# List all pods existing in all namespaces  oc get pods --all-namespaces

Starts an auth code flow to the issuer URL with the client ID and the given extra scopes

# Starts an auth code flow to the issuer URL with the client ID and the given extra scopes  oc get-token --client-id=client-id --issuer-url=test.issuer.url --extra-scopes=email,profile# Starts an auth code flow to the issuer URL with a different callback address  oc get-token --client-id=client-id --issuer-url=test.issuer.url --callback-address=127.0.0.1:8343

Idle the scalable controllers associated with the services listed in to-idle.txt

# Idle the scalable controllers associated with the services listed in to-idle.txt  $ oc idle --resource-names-file to-idle.txt

Remove the entrypoint on the mysql:latest image

# Remove the entrypoint on the mysql:latest image  oc image append--from mysql:latest--to myregistry.com/myimage:latest--image'{"Entrypoint":null}'# Add a new layer to the image  oc image append--from mysql:latest--to myregistry.com/myimage:latest layer.tar.gz# Add a new layer to the image and store the result on disk# This results in $(pwd)/v2/mysql/blobs,manifests  oc image append--from mysql:latest--to file://mysql:local layer.tar.gz# Add a new layer to the image and store the result on disk in a designated directory# This will result in $(pwd)/mysql-local/v2/mysql/blobs,manifests  oc image append--from mysql:latest--to file://mysql:local--dir mysql-local layer.tar.gz# Add a new layer to an image that is stored on disk (~/mysql-local/v2/image exists)  oc image append --from-dir ~/mysql-local--to myregistry.com/myimage:latest layer.tar.gz# Add a new layer to an image that was mirrored to the current directory on disk ($(pwd)/v2/image exists)  oc image append --from-dir v2--to myregistry.com/myimage:latest layer.tar.gz# Add a new layer to a multi-architecture image for an os/arch that is different from the system's os/arch# Note: The first image in the manifest list that matches the filter will be returned when --keep-manifest-list is not specified  oc image append--from docker.io/library/busybox:latest --filter-by-os=linux/s390x--to myregistry.com/myimage:latest layer.tar.gz# Add a new layer to a multi-architecture image for all the os/arch manifests when keep-manifest-list is specified  oc image append--from docker.io/library/busybox:latest --keep-manifest-list--to myregistry.com/myimage:latest layer.tar.gz# Add a new layer to a multi-architecture image for all the os/arch manifests that is specified by the filter, while preserving the manifestlist  oc image append--from docker.io/library/busybox:latest --filter-by-os=linux/s390x --keep-manifest-list--to myregistry.com/myimage:latest layer.tar.gz

Extract the busybox image into the current directory

# Extract the busybox image into the current directory  oc image extract docker.io/library/busybox:latest# Extract the busybox image into a designated directory (must exist)  oc image extract docker.io/library/busybox:latest--path /:/tmp/busybox# Extract the busybox image into the current directory for linux/s390x platform# Note: Wildcard filter is not supported with extract; pass a single os/arch to extract  oc image extract docker.io/library/busybox:latest --filter-by-os=linux/s390x# Extract a single file from the image into the current directory  oc image extract docker.io/library/centos:7--path /bin/bash:.# Extract all .repo files from the image's /etc/yum.repos.d/ folder into the current directory  oc image extract docker.io/library/centos:7--path /etc/yum.repos.d/*.repo:.# Extract all .repo files from the image's /etc/yum.repos.d/ folder into a designated directory (must exist)# This results in /tmp/yum.repos.d/*.repo on local system  oc image extract docker.io/library/centos:7--path /etc/yum.repos.d/*.repo:/tmp/yum.repos.d# Extract an image stored on disk into the current directory ($(pwd)/v2/busybox/blobs,manifests exists)# --confirm is required because the current directory is not empty  oc image extract file://busybox:local--confirm# Extract an image stored on disk in a directory other than $(pwd)/v2 into the current directory# --confirm is required because the current directory is not empty ($(pwd)/busybox-mirror-dir/v2/busybox exists)  oc image extract file://busybox:local--dir busybox-mirror-dir--confirm# Extract an image stored on disk in a directory other than $(pwd)/v2 into a designated directory (must exist)  oc image extract file://busybox:local--dir busybox-mirror-dir--path /:/tmp/busybox# Extract the last layer in the image  oc image extract docker.io/library/centos:7[-1]# Extract the first three layers of the image  oc image extract docker.io/library/centos:7[:3]# Extract the last three layers of the image  oc image extract docker.io/library/centos:7[-3:]

Show information about an image

# Show information about an image  oc image info quay.io/openshift/cli:latest# Show information about images matching a wildcard  oc image info quay.io/openshift/cli:4.*# Show information about a file mirrored to disk under DIR  oc image info--dir=DIR file://library/busybox:latest# Select which image from a multi-OS image to show  oc image info library/busybox:latest --filter-by-os=linux/arm64

Copy image to another tag

# Copy image to another tag  oc image mirror myregistry.com/myimage:latest myregistry.com/myimage:stable# Copy image to another registry  oc image mirror myregistry.com/myimage:latest docker.io/myrepository/myimage:stable# Copy all tags starting with mysql to the destination repository  oc image mirror myregistry.com/myimage:mysql* docker.io/myrepository/myimage# Copy image to disk, creating a directory structure that can be served as a registry  oc image mirror myregistry.com/myimage:latest file://myrepository/myimage:latest# Copy image to S3 (pull from <bucket>.s3.amazonaws.com/image:latest)  oc image mirror myregistry.com/myimage:latest s3://s3.amazonaws.com/<region>/<bucket>/image:latest# Copy image to S3 without setting a tag (pull via @<digest>)  oc image mirror myregistry.com/myimage:latest s3://s3.amazonaws.com/<region>/<bucket>/image# Copy image to multiple locations  oc image mirror myregistry.com/myimage:latest docker.io/myrepository/myimage:stable\  docker.io/myrepository/myimage:dev# Copy multiple images  oc image mirror myregistry.com/myimage:latest=myregistry.com/other:test\  myregistry.com/myimage:new=myregistry.com/other:target# Copy manifest list of a multi-architecture image, even if only a single image is found  oc image mirror myregistry.com/myimage:latest=myregistry.com/other:test\  --keep-manifest-list=true# Copy specific os/arch manifest of a multi-architecture image# Run 'oc image info myregistry.com/myimage:latest' to see available os/arch for multi-arch images# Note that with multi-arch images, this results in a new manifest list digest that includes only the filtered manifests  oc image mirror myregistry.com/myimage:latest=myregistry.com/other:test\  --filter-by-os=os/arch# Copy all os/arch manifests of a multi-architecture image# Run 'oc image info myregistry.com/myimage:latest' to see list of os/arch manifests that will be mirrored  oc image mirror myregistry.com/myimage:latest=myregistry.com/other:test\  --keep-manifest-list=true# Note the above command is equivalent to  oc image mirror myregistry.com/myimage:latest=myregistry.com/other:test\  --filter-by-os=.*# Copy specific os/arch manifest of a multi-architecture image# Run 'oc image info myregistry.com/myimage:latest' to see available os/arch for multi-arch images# Note that the target registry may reject a manifest list if the platform specific images do not all exist# You must use a registry with sparse registry support enabled  oc image mirror myregistry.com/myimage:latest=myregistry.com/other:test\  --filter-by-os=linux/386\  --keep-manifest-list=true

Import tag latest into a new image stream

# Import tag latest into a new image stream  oc import-image mystream--from=registry.io/repo/image:latest--confirm# Update imported data for tag latest in an already existing image stream  oc import-image mystream# Update imported data for tag stable in an already existing image stream  oc import-image mystream:stable# Update imported data for all tags in an existing image stream  oc import-image mystream--all# Update imported data for a tag that points to a manifest list to include the full manifest list  oc import-image mystream --import-mode=PreserveOriginal# Import all tags into a new image stream  oc import-image mystream--from=registry.io/repo/image--all--confirm# Import all tags into a new image stream using a custom timeout  oc --request-timeout=5m import-image mystream--from=registry.io/repo/image--all--confirm

Build the current working directory

# Build the current working directory  oc kustomize# Build some shared configuration directory  oc kustomize /home/config/production# Build from github  oc kustomize https://github.com/kubernetes-sigs/kustomize.git/examples/helloWorld?ref=v1.0.6

Update pod 'foo' with the label 'unhealthy' and the value 'true'

# Update pod 'foo' with the label 'unhealthy' and the value 'true'  oc label pods foounhealthy=true# Update pod 'foo' with the label 'status' and the value 'unhealthy', overwriting any existing value  oc label--overwrite pods foostatus=unhealthy# Update all pods in the namespace  oc label pods--allstatus=unhealthy# Update a pod identified by the type and name in "pod.json"  oc label-f pod.jsonstatus=unhealthy# Update pod 'foo' only if the resource is unchanged from version 1  oc label pods foostatus=unhealthy --resource-version=1# Update pod 'foo' by removing a label named 'bar' if it exists# Does not require the --overwrite flag  oc label pods foo bar-

Log in interactively

# Log in interactively  oc login--username=myuser# Log in to the given server with the given certificate authority file  oc login localhost:8443 --certificate-authority=/path/to/cert.crt# Log in to the given server with the given credentials (will not prompt interactively)  oc login localhost:8443--username=myuser--password=mypass# Log in to the given server through a browser  oc login localhost:8443--web --callback-port8280# Log in to the external OIDC issuer through Auth Code + PKCE by starting a local server listening on port 8080  oc login localhost:8443 --exec-plugin=oc-oidc --client-id=client-id --extra-scopes=email,profile --callback-port=8080

Log out

# Log out  oclogout

Start streaming the logs of the most recent build of the openldap build config

# Start streaming the logs of the most recent build of the openldap build config  oc logs-f bc/openldap# Start streaming the logs of the latest deployment of the mysql deployment config  oc logs-f dc/mysql# Get the logs of the first deployment for the mysql deployment config. Note that logs# from older deployments may not exist either because the deployment was successful# or due to deployment pruning or manual deletion of the deployment  oc logs--version=1 dc/mysql# Return a snapshot of ruby-container logs from pod backend  oc logs backend-c ruby-container# Start streaming of ruby-container logs from pod backend  oc logs-f pod/backend-c ruby-container

List all local templates and image streams that can be used to create an app

# List all local templates and image streams that can be used to create an app  oc new-app--list# Create an application based on the source code in the current git repository (with a public remote) and a container image  oc new-app.--image=registry/repo/langimage# Create an application myapp with Docker based build strategy expecting binary input  oc new-app--strategy=docker--binary--name myapp# Create a Ruby application based on the provided [image]~[source code] combination  oc new-app centos/ruby-25-centos7~https://github.com/sclorg/ruby-ex.git# Use the public container registry MySQL image to create an app. Generated artifacts will be labeled with db=mysql  oc new-app mysqlMYSQL_USER=userMYSQL_PASSWORD=passMYSQL_DATABASE=testdb-ldb=mysql# Use a MySQL image in a private registry to create an app and override application artifacts' names  oc new-app--image=myregistry.com/mycompany/mysql--name=private# Use an image with the full manifest list to create an app and override application artifacts' names  oc new-app--image=myregistry.com/mycompany/image--name=private --import-mode=PreserveOriginal# Create an application from a remote repository using its beta4 branch  oc new-app https://github.com/openshift/ruby-hello-world#beta4# Create an application based on a stored template, explicitly setting a parameter value  oc new-app--template=ruby-helloworld-sample--param=MYSQL_USER=admin# Create an application from a remote repository and specify a context directory  oc new-app https://github.com/youruser/yourgitrepo --context-dir=src/build# Create an application from a remote private repository and specify which existing secret to use  oc new-app https://github.com/youruser/yourgitrepo --source-secret=yoursecret# Create an application based on a template file, explicitly setting a parameter value  oc new-app--file=./example/myapp/template.json--param=MYSQL_USER=admin# Search all templates, image streams, and container images for the ones that match "ruby"  oc new-app--search ruby# Search for "ruby", but only in stored templates (--template, --image-stream and --image# can be used to filter search results)  oc new-app--search--template=ruby# Search for "ruby" in stored templates and print the output as YAML  oc new-app--search--template=ruby--output=yaml

Create a build config based on the source code in the current git repository (with a public

# Create a build config based on the source code in the current git repository (with a public# remote) and a container image  oc new-build.--image=repo/langimage# Create a NodeJS build config based on the provided [image]~[source code] combination  oc new-build centos/nodejs-8-centos7~https://github.com/sclorg/nodejs-ex.git# Create a build config from a remote repository using its beta2 branch  oc new-build https://github.com/openshift/ruby-hello-world#beta2# Create a build config using a Dockerfile specified as an argument  oc new-build-D$'FROM centos:7\nRUN yum install -y httpd'# Create a build config from a remote repository and add custom environment variables  oc new-build https://github.com/openshift/ruby-hello-world-eRACK_ENV=development# Create a build config from a remote private repository and specify which existing secret to use  oc new-build https://github.com/youruser/yourgitrepo --source-secret=yoursecret# Create a build config using  an image with the full manifest list to create an app and override application artifacts' names  oc new-build--image=myregistry.com/mycompany/image--name=private --import-mode=PreserveOriginal# Create a build config from a remote repository and inject the npmrc into a build  oc new-build https://github.com/openshift/ruby-hello-world --build-secret npmrc:.npmrc# Create a build config from a remote repository and inject environment data into a build  oc new-build https://github.com/openshift/ruby-hello-world --build-config-map env:config# Create a build config that gets its input from a remote repository and another container image  oc new-build https://github.com/openshift/ruby-hello-world --source-image=openshift/jenkins-1-centos7 --source-image-path=/var/lib/jenkins:tmp

Create a new project with minimal information

# Create a new project with minimal information  oc new-project web-team-dev# Create a new project with a display name and description  oc new-project web-team-dev --display-name="Web Team Development"--description="Development project for the web team."

Observe changes to services

# Observe changes to services  oc observe services# Observe changes to services, including the clusterIP and invoke a script for each  oc observe services--template'{ .spec.clusterIP }' -- register_dns.sh# Observe changes to services filtered by a label selector  oc observe services-l regist-dns=true--template'{ .spec.clusterIP }' -- register_dns.sh

Partially update a node using a strategic merge patch, specifying the patch as JSON

# Partially update a node using a strategic merge patch, specifying the patch as JSON  oc patchnode k8s-node-1-p'{"spec":{"unschedulable":true}}'# Partially update a node using a strategic merge patch, specifying the patch as YAML  oc patchnode k8s-node-1-p$'spec:\n unschedulable: true'# Partially update a node identified by the type and name specified in "node.json" using strategic merge patch  oc patch-f node.json-p'{"spec":{"unschedulable":true}}'# Update a container's image; spec.containers[*].name is required because it's a merge key  oc patch pod valid-pod -p '{"spec":{"containers":[{"name":"kubernetes-serve-hostname","image":"new image"}]}}'  # Update a container's image using a JSON patch with positional arrays  oc patch pod valid-pod--type='json'-p='[{"op": "replace", "path": "/spec/containers/0/image", "value":"new image"}]'# Update a deployment's replicas through the 'scale' subresource using a merge patch  oc patch deployment nginx-deployment--subresource='scale'--type='merge'-p'{"spec":{"replicas":2}}'

List all available plugins

# List all available plugins  oc plugin list# List only binary names of available plugins without paths  oc plugin list --name-only

List all available plugins

# List all available plugins  oc plugin list# List only binary names of available plugins without paths  oc plugin list --name-only

Add the 'view' role to user1 for the current project

# Add the 'view' role to user1 for the current project  oc policy add-role-to-user view user1# Add the 'edit' role to serviceaccount1 for the current project  oc policy add-role-to-user edit-z serviceaccount1

Check whether service accounts sa1 and sa2 can admit a pod with a template pod spec specified in my_resource.yaml

# Check whether service accounts sa1 and sa2 can admit a pod with a template pod spec specified in my_resource.yaml# Service Account specified in myresource.yaml file is ignored  oc policy scc-review-z sa1,sa2-f my_resource.yaml# Check whether service accounts system:serviceaccount:bob:default can admit a pod with a template pod spec specified in my_resource.yaml  oc policy scc-review-z system:serviceaccount:bob:default-f my_resource.yaml# Check whether the service account specified in my_resource_with_sa.yaml can admit the pod  oc policy scc-review-f my_resource_with_sa.yaml# Check whether the default service account can admit the pod; default is taken since no service account is defined in myresource_with_no_sa.yaml  oc policy scc-review-f myresource_with_no_sa.yaml

Check whether user bob can create a pod specified in myresource.yaml

# Check whether user bob can create a pod specified in myresource.yaml  oc policy scc-subject-review-u bob-f myresource.yaml# Check whether user bob who belongs to projectAdmin group can create a pod specified in myresource.yaml  oc policy scc-subject-review-u bob-g projectAdmin-f myresource.yaml# Check whether a service account specified in the pod template spec in myresourcewithsa.yaml can create the pod  oc policy scc-subject-review-f myresourcewithsa.yaml

Listen on ports 5000 and 6000 locally, forwarding data to/from ports 5000 and 6000 in the pod

# Listen on ports 5000 and 6000 locally, forwarding data to/from ports 5000 and 6000 in the pod  oc port-forward pod/mypod50006000# Listen on ports 5000 and 6000 locally, forwarding data to/from ports 5000 and 6000 in a pod selected by the deployment  oc port-forward deployment/mydeployment50006000# Listen on port 8443 locally, forwarding to the targetPort of the service's port named "https" in a pod selected by the service  oc port-forward service/myservice8443:https# Listen on port 8888 locally, forwarding to 5000 in the pod  oc port-forward pod/mypod8888:5000# Listen on port 8888 on all addresses, forwarding to 5000 in the pod  oc port-forward--address0.0.0.0 pod/mypod8888:5000# Listen on port 8888 on localhost and selected IP, forwarding to 5000 in the pod  oc port-forward--address localhost,10.19.21.23 pod/mypod8888:5000# Listen on a random port locally, forwarding to 5000 in the pod  oc port-forward pod/mypod :5000

Convert the template.json file into a resource list and pass to create

# Convert the template.json file into a resource list and pass to create  oc process-f template.json| oc create-f -# Process a file locally instead of contacting the server  oc process-f template.json--local-o yaml# Process template while passing a user-defined label  oc process-f template.json-lname=mytemplate# Convert a stored template into a resource list  oc process foo# Convert a stored template into a resource list by setting/overriding parameter values  oc process fooPARM1=VALUE1PARM2=VALUE2# Convert a template stored in different namespace into a resource list  oc process openshift//foo# Convert template.json into a resource listcat template.json| oc process-f -

Switch to the 'myapp' project

# Switch to the 'myapp' project  oc project myapp# Display the project currently in use  oc project

List all projects

# List all projects  oc projects

To proxy all of the Kubernetes API and nothing else

# To proxy all of the Kubernetes API and nothing else  oc proxy --api-prefix=/# To proxy only part of the Kubernetes API and also some static files# You can get pods info with 'curl localhost:8001/api/v1/pods'  oc proxy--www=/my/files --www-prefix=/static/ --api-prefix=/api/# To proxy the entire Kubernetes API at a different root# You can get pods info with 'curl localhost:8001/custom/api/v1/pods'  oc proxy --api-prefix=/custom/# Run a proxy to the Kubernetes API server on port 8011, serving static content from ./local/www/  oc proxy--port=8011--www=./local/www/# Run a proxy to the Kubernetes API server on an arbitrary local port# The chosen port for the server will be output to stdout  oc proxy--port=0# Run a proxy to the Kubernetes API server, changing the API prefix to k8s-api# This makes e.g. the pods API available at localhost:8001/k8s-api/v1/pods/  oc proxy --api-prefix=/k8s-api

Log in to the integrated registry

# Log in to the integrated registry  oc registry login# Log in to different registry using BASIC auth credentials  oc registry login--registry quay.io/myregistry --auth-basic=USER:PASS

Replace a pod using the data in pod.json

# Replace a pod using the data in pod.json  oc replace-f ./pod.json# Replace a pod based on the JSON passed into stdincat pod.json| oc replace-f -# Update a single-container pod's image version (tag) to v4  oc get pod mypod-o yaml|sed's/\(image: myimage\):.*$/\1:v4/'| oc replace-f -# Force replace, delete and then re-create the resource  oc replace--force-f ./pod.json

Perform a rollback to the last successfully completed deployment for a deployment config

# Perform a rollback to the last successfully completed deployment for a deployment config  oc rollback frontend# See what a rollback to version 3 will look like, but do not perform the rollback  oc rollback frontend --to-version=3 --dry-run# Perform a rollback to a specific deployment  oc rollback frontend-2# Perform the rollback manually by piping the JSON of the new config back to oc  oc rollback frontend-o json| oc replace dc/frontend-f -# Print the updated deployment configuration in JSON format instead of performing the rollback  oc rollback frontend-o json

Roll back to the previous deployment

# Roll back to the previous deployment  oc rollout undo deployment/abc# Check the rollout status of a daemonset  oc rollout status daemonset/foo# Restart a deployment  oc rollout restart deployment/abc# Restart deployments with the 'app=nginx' label  oc rollout restart deployment--selector=app=nginx

Cancel the in-progress deployment based on 'nginx'

# Cancel the in-progress deployment based on 'nginx'  oc rollout cancel dc/nginx

View the rollout history of a deployment

# View the rollout history of a deployment  oc rollouthistory deployment/abc# View the details of daemonset revision 3  oc rollouthistory daemonset/abc--revision=3

Start a new rollout based on the latest images defined in the image change triggers

# Start a new rollout based on the latest images defined in the image change triggers  oc rollout latest dc/nginx# Print the rolled out deployment config  oc rollout latest dc/nginx-o json

Mark the nginx deployment as paused

# Mark the nginx deployment as paused# Any current state of the deployment will continue its function; new updates# to the deployment will not have an effect as long as the deployment is paused  oc rollout pause deployment/nginx

Restart all deployments in the test-namespace namespace

# Restart all deployments in the test-namespace namespace  oc rollout restart deployment-n test-namespace# Restart a deployment  oc rollout restart deployment/nginx# Restart a daemon set  oc rollout restart daemonset/abc# Restart deployments with the app=nginx label  oc rollout restart deployment--selector=app=nginx

Resume an already paused deployment

# Resume an already paused deployment  oc rollout resume deployment/nginx

Retry the latest failed deployment based on 'frontend'

# Retry the latest failed deployment based on 'frontend'# The deployer pod and any hook pods are deleted for the latest failed deployment  oc rollout retry dc/frontend

Watch the rollout status of a deployment

# Watch the rollout status of a deployment  oc rollout status deployment/nginx

Roll back to the previous deployment

# Roll back to the previous deployment  oc rollout undo deployment/abc# Roll back to daemonset revision 3  oc rollout undo daemonset/abc --to-revision=3# Roll back to the previous deployment with dry-run  oc rollout undo --dry-run=server deployment/abc

Open a shell session on the first container in pod 'foo'

# Open a shell session on the first container in pod 'foo'  oc rsh foo# Open a shell session on the first container in pod 'foo' and namespace 'bar'# (Note that oc client specific arguments must come before the resource name and its arguments)  oc rsh-n bar foo# Run the command 'cat /etc/resolv.conf' inside pod 'foo'  oc rsh foocat /etc/resolv.conf# See the configuration of your internal registry  oc rsh dc/docker-registrycat config.yml# Open a shell session on the container named 'index' inside a pod of your job  oc rsh-c index job/scheduled

Synchronize a local directory with a pod directory

# Synchronize a local directory with a pod directory  ocrsync ./local/dir/ POD:/remote/dir# Synchronize a pod directory with a local directory  ocrsync POD:/remote/dir/ ./local/dir

Start a nginx pod

# Start a nginx pod  oc run nginx--image=nginx# Start a hazelcast pod and let the container expose port 5701  oc run hazelcast--image=hazelcast/hazelcast--port=5701# Start a hazelcast pod and set environment variables "DNS_DOMAIN=cluster" and "POD_NAMESPACE=default" in the container  oc run hazelcast--image=hazelcast/hazelcast--env="DNS_DOMAIN=cluster"--env="POD_NAMESPACE=default"# Start a hazelcast pod and set labels "app=hazelcast" and "env=prod" in the container  oc run hazelcast--image=hazelcast/hazelcast--labels="app=hazelcast,env=prod"# Dry run; print the corresponding API objects without creating them  oc run nginx--image=nginx --dry-run=client# Start a nginx pod, but overload the spec with a partial set of values parsed from JSON  oc run nginx--image=nginx--overrides='{ "apiVersion": "v1", "spec": { ... } }'# Start a busybox pod and keep it in the foreground, don't restart it if it exits  oc run-i-t busybox--image=busybox--restart=Never# Start the nginx pod using the default command, but use custom arguments (arg1 .. argN) for that command  oc run nginx--image=nginx --<arg1><arg2>...<argN># Start the nginx pod using a different command and custom arguments  oc run nginx--image=nginx--command --<cmd><arg1>...<argN>

Scale a replica set named 'foo' to 3

# Scale a replica set named 'foo' to 3  oc scale--replicas=3 rs/foo# Scale a resource identified by type and name specified in "foo.yaml" to 3  oc scale--replicas=3-f foo.yaml# If the deployment named mysql's current size is 2, scale mysql to 3  oc scale --current-replicas=2--replicas=3 deployment/mysql# Scale multiple replication controllers  oc scale--replicas=5 rc/example1 rc/example2 rc/example3# Scale stateful set named 'web' to 3  oc scale--replicas=3 statefulset/web

Add an image pull secret to a service account to automatically use it for pulling pod images

# Add an image pull secret to a service account to automatically use it for pulling pod images  oc secretslink serviceaccount-name pull-secret--for=pull# Add an image pull secret to a service account to automatically use it for both pulling and pushing build images  oc secretslink builder builder-image-secret--for=pull,mount

Unlink a secret currently associated with a service account

# Unlink a secret currently associated with a service account  oc secrets unlink serviceaccount-name secret-name another-secret-name...

Clear post-commit hook on a build config

# Clear post-commit hook on a build config  ocset build-hook bc/mybuild --post-commit--remove# Set the post-commit hook to execute a test suite using a new entrypoint  ocset build-hook bc/mybuild --post-commit--command -- /bin/bash-c /var/lib/test-image.sh# Set the post-commit hook to execute a shell script  ocset build-hook bc/mybuild --post-commit--script="/var/lib/test-image.sh param1 param2 && /var/lib/done.sh"

Clear the push secret on a build config

# Clear the push secret on a build config  ocset build-secret--push--remove bc/mybuild# Set the pull secret on a build config  ocset build-secret--pull bc/mybuild mysecret# Set the push and pull secret on a build config  ocset build-secret--push--pull bc/mybuild mysecret# Set the source secret on a set of build configs matching a selector  ocset build-secret--source-lapp=myapp gitsecret

Set the 'password' key of a secret

# Set the 'password' key of a secret  ocset data secret/foopassword=this_is_secret# Remove the 'password' key from a secret  ocset data secret/foo password-# Update the 'haproxy.conf' key of a config map from a file on disk  ocset data configmap/bar --from-file=../haproxy.conf# Update a secret with the contents of a directory, one key per file  ocset data secret/foo --from-file=secret-dir

Clear pre and post hooks on a deployment config

# Clear pre and post hooks on a deployment config  ocset deployment-hook dc/myapp--remove--pre--post# Set the pre deployment hook to execute a db migration command for an application# using the data volume from the application  ocset deployment-hook dc/myapp--pre--volumes=data -- /var/lib/migrate-db.sh# Set a mid deployment hook along with additional environment variables  ocset deployment-hook dc/myapp--mid--volumes=data-eVAR1=value1-eVAR2=value2 -- /var/lib/prepare-deploy.sh

Update deployment config 'myapp' with a new environment variable

# Update deployment config 'myapp' with a new environment variable  ocsetenv dc/myappSTORAGE_DIR=/local# List the environment variables defined on a build config 'sample-build'  ocsetenv bc/sample-build--list# List the environment variables defined on all pods  ocsetenv pods--all--list# Output modified build config in YAML  ocsetenv bc/sample-buildSTORAGE_DIR=/data-o yaml# Update all containers in all replication controllers in the project to have ENV=prod  ocsetenv rc--allENV=prod# Import environment from a secret  ocsetenv--from=secret/mysecret dc/myapp# Import environment from a config map with a prefix  ocsetenv--from=configmap/myconfigmap--prefix=MYSQL_ dc/myapp# Remove the environment variable ENV from container 'c1' in all deployment configs  ocsetenvdc--all--containers="c1" ENV-# Remove the environment variable ENV from a deployment config definition on disk and# update the deployment config on the server  ocsetenv-f dc.json ENV-# Set some of the local shell environment into a deployment config on the server  ocsetenv|grep RAILS_| ocenv-e - dc/myapp

Set a deployment config's nginx container image to 'nginx:1.9.1', and its busybox container image to 'busybox'.

# Set a deployment config's nginx container image to 'nginx:1.9.1', and its busybox container image to 'busybox'.  ocset image dc/nginxbusybox=busyboxnginx=nginx:1.9.1# Set a deployment config's app container image to the image referenced by the imagestream tag 'openshift/ruby:2.3'.  ocset image dc/myappapp=openshift/ruby:2.3--source=imagestreamtag# Update all deployments' and rc's nginx container's image to 'nginx:1.9.1'  ocset image deployments,rcnginx=nginx:1.9.1--all# Update image of all containers of daemonset abc to 'nginx:1.9.1'  ocset image daemonset abc *=nginx:1.9.1# Print result (in YAML format) of updating nginx container image from local file, without hitting the server  ocset image-f path/to/file.yamlnginx=nginx:1.9.1--local-o yaml

Print all of the image streams and whether they resolve local names

# Print all of the image streams and whether they resolve local names  ocset image-lookup# Use local name lookup on image stream mysql  ocset image-lookup mysql# Force a deployment to use local name lookup  ocset image-lookup deploy/mysql# Show the current status of the deployment lookup  ocset image-lookup deploy/mysql--list# Disable local name lookup on image stream mysql  ocset image-lookup mysql--enabled=false# Set local name lookup on all image streams  ocset image-lookup--all

Clear both readiness and liveness probes off all containers

# Clear both readiness and liveness probes off all containers  ocset probe dc/myapp--remove--readiness--liveness# Set an exec action as a liveness probe to run 'echo ok'  ocset probe dc/myapp--liveness --echo ok# Set a readiness probe to try to open a TCP socket on 3306  ocset probe rc/mysql--readiness --open-tcp=3306# Set an HTTP startup probe for port 8080 and path /healthz over HTTP on the pod IP  ocset probe dc/webapp--startup --get-url=http://:8080/healthz# Set an HTTP readiness probe for port 8080 and path /healthz over HTTP on the pod IP  ocset probe dc/webapp--readiness --get-url=http://:8080/healthz# Set an HTTP readiness probe over HTTPS on 127.0.0.1 for a hostNetwork pod  ocset probe dc/router--readiness --get-url=https://127.0.0.1:1936/stats# Set only the initial-delay-seconds field on all deployments  ocset probedc--all--readiness --initial-delay-seconds=30

Set a deployments nginx container CPU limits to "200m and memory to 512Mi"

# Set a deployments nginx container CPU limits to "200m and memory to 512Mi"  ocset resources deployment nginx-c=nginx--limits=cpu=200m,memory=512Mi# Set the resource request and limits for all containers in nginx  ocset resources deployment nginx--limits=cpu=200m,memory=512Mi--requests=cpu=100m,memory=256Mi# Remove the resource requests for resources on containers in nginx  ocset resources deployment nginx--limits=cpu=0,memory=0--requests=cpu=0,memory=0# Print the result (in YAML format) of updating nginx container limits locally, without hitting the server  ocset resources-f path/to/file.yaml--limits=cpu=200m,memory=512Mi--local-o yaml

Print the backends on the route 'web'

# Print the backends on the route 'web'  ocset route-backends web# Set two backend services on route 'web' with 2/3rds of traffic going to 'a'  ocset route-backends weba=2b=1# Increase the traffic percentage going to b by 10%% relative to a  ocset route-backends web--adjustb=+10%%# Set traffic percentage going to b to 10%% of the traffic going to a  ocset route-backends web--adjustb=10%%# Set weight of b to 10  ocset route-backends web--adjustb=10# Set the weight to all backends to zero  ocset route-backends web--zero